Mobile ad hoc networks are a class of networks based on wireless technologies. Ad hoc networks are a permanent or temporary collection of nodes that can communicate with each other. A “node” is a device with a network interface that is participating in routing in the mobile ad hoc network. A node can be a large network (eg, a Local Area Network (LAN)) or a single device. Examples of devices that can act as nodes include mobile phones, laptop computers and personal digital assistants (PDAs). For a wireless network each node will have a transmitter and receiver so that each node can communicate with neighbouring nodes. The advent of accessible and compact short range communication systems such as the Bluetooth™ system means it is now feasible that a wide range of devices can be configured to behave as nodes.
Ad-hoc networks have no pre-existing infrastructure and there is no central entity to provide network administration services. Each mobile node operates as a router, forwarding packets for other mobile nodes in the network that may not be within direct wireless transmission range of each other. End-to-end communication may require the routing of information via several intermediate nodes.
Ad hoc networks are sometimes referred to as multi-hop networks, where a hop is a direct link between two nodes. If wireless communication is being used then two nodes are within one hop of each other if they lie within each other's transmission range.
Ad hoc networks may find use, for example, for emergency services coordinating their efforts, business associates sharing information during a meeting, and students using laptop computers to participate in an interactive lecture.
Routing protocols used in ad hoc networks can normally be classed as either “proactive”, “reactive” or “hybrid”. Proactive routing relies on flooding the whole network with route update information. These update transmissions occur periodically, for example, every 5 seconds. Proactive routing schemes are used for Internet communication. As much of the update information is the same from one update to the next, conventional proactive routing is seen to be too resource intensive for use in ad hoc networks.
In reactive routing schemes a node will only try to locate another node when it is necessary. This avoids wastage of resources but increases delays in the routing.
Hybrid routing protocols have been developed. An example of a hybrid protocol is the Zone Routing Protocol (ZRP). In ZRP, proactive routing is performed locally, and reactive routing is used to discover routes outside of the proactive routing zone. Each node maintains route information for all the nodes within the routing zone.
The following terms are used in this document, but may be used differently elsewhere. An “originator node” is a node which originates a data packet, intended for a certain “destination node”. A node is a “neighbour node” of another node if it is only one hop away, ie within direct transmission range. Likewise, a “2-hop neighbour node” is a node which is two hops away. If the destination node is not a neighbour node of the originator node, the data packet will have to traverse a multi-hop route consisting of “intermediate nodes”. In a specific scenario, the “sending node” is the last node to send the data packet. A “friendly” node is one which is willing and able to forward packets. A “routing message” is any packet used by the routing protocol to affect routing information.
It is desirable to know, when a packet of information has been sent to an intermediate node, whether the packet has been received and forwarded by that node. FIG. 1 schematically illustrates a passive acknowledgement system. For illustrative purposes only three nodes are shown, A, B and C. Node A sends a packet of information to node B which then sends the packet onto node C. When node B transmits the packet to node C the transmission is generally isotropic, that is the message is transmitted with approximately equal strength in all directions. Therefore, when B transmits to C then A will also receive that transmission. In this way A will have confirmation that the packet has been forwarded by B.
A problem with passive acknowledgement is that the signal that B transmits may not reach A due to collisions or other interference.
Mobility introduces a major design constraint not present in wired networks, namely the need for energy efficiency. The consequence of this is that network services must be efficient, and must also take account of nodes which do not have enough energy to participate. An example of where this can give rise to a security threat is provided by the routing service in the network. Routing is a distributed operation in ad hoc networks, where every node can act as a router. Failed nodes are defined as those nodes which do not have enough resources to generate or forward data packets, and such nodes may often occur through battery exhaustion.
However, there is a related class of threats to routing arising from ‘selfish nodes’. These nodes try to exploit the routing protocol to their own advantage. Selfish nodes are nodes that have the ability to forward information packets but do not do so. The primary motivation for their unhelpful behaviour is to enhance their own performance and to save their own energy resources. In ad hoc networks, the main threat from such nodes comes from the selfish dropping of packets, which can severely affect the performance of the network. Selfish nodes may also attempt to gain a better quality of service by reserving routes and bandwidth by not responding to routing messages. The key difference between failed and selfish nodes is that selfish nodes have the ability and resources to forward packets, whereas failed nodes do not.
Another class of threats is from badly failed nodes. A badly failed node functions in the network but transmits incorrect information. Malfunctioning equipment or software bugs may cause badly failed nodes. A further class of threats is from malicious nodes. A malicious mode also sends out wrong information, but this is done deliberately to disrupt the network.
Failed, badly failed, selfish and malicious nodes are all classes of “unfriendly nodes”.
Awerbuch et al. attempt to address the problems of failed and selfish nodes. (B. Awerbuch, D. Holmer, C. Nita-Rotaru, and H. Rubens. “An on demand secure routing protocol resilient to Byzantine failures”, in D. Maughan and N. Vaidya, editors, Proceedings of the ACM Workshop on Wireless Security, Sep. 28, 2002, Atlanta, Ga., USA, pages 21-30. ACM Press, 2002).
The Awerbuch mechanism uses explicit acknowledgements; however, in this scheme, the originator node is responsible for maintaining the status of the route. When the originator node has not received an acknowledgement for a data packet, the originator node has to perform a binary search on the route using a system of probes to try and discover which link is broken. The link which is believed to be broken is weighted negatively. A link management system is used to calculate routes, so route calculations involving broken links will produce negative results so that they are not used.
Yang et al. also attempt to address the problems of failed and selfish nodes (H. Yang, X. Meng, and S. Lu, “Self-organized network-layer security in mobile ad hoc networks”, in D. Maughan and N. Vaidya, editors, Proceedings of the ACM Workshop on Wireless Security, Sep. 28, 2002, Atlanta, Ga., USA, pages 11-20. ACM Press, 2002). Yang uses passive acknowledgements, and the identities of nodes which have been detected as misbehaving are broadcast to the rest of the network. This collaborative approach uses tokens to grant access to network services.
There has been much work on generic mechanisms designed to work with any routing protocol. Previously proposed schemes by Marti et al. (S. Marti, T. J. Giuli, K. Lai, and M. Baker, “Mitigating routing misbehavior in mobile ad hoc networks”, in R. Pickholtz, S. Das, R. Caceres, and J. J. Garcia-Luna-Aceves, editors, Proceedings of the Sixth Annual International Conference on Mobile Computing and Networking, August 6-11, 2000, Boston, Mass., USA, pages 255-265. ACM Press, 2000.), and Buttyan and Hubeaux (L. Buttyan and J. Hubaux. Stimulating cooperation in self-organising mobile ad hoc networks. ACM/Kluwer Mobile Networks and Applications (MONET), 8(5), October 2003, to appear) attempt to mitigate the effect of selfish nodes using a currency model, where nodes are given “virtual money” which they must use in order to request a service such as forwarding a data packet, ie they “pay” a node to perform a service and that node can then use the “money” to pay for services itself. Recently more research has been conducted on distributed reputation mechanisms by (1. S. Buchegger and J.-Y. Le Boudec, “Performance analysis of the CONFIDANT protocol (cooperation of nodes: Fairness in dynamic ad-hoc networks)”, in J. Hubaux, J. J. Garcia-Luna-Aceves, and D. Johnson, editors, Proceedings of The Third ACM International Symposium on Mobile Ad Hoc Networking and Computing, 9-11 Jun., 2002, Lausanne, Switzerland, pages 226-236. ACM Press, 2002; and 2. P. Michiardi and R. Molva, “CORE: A collaborative reputation mechanism to enforce node cooperation in mobile ad hoc networks, in B. Jerman-Blazic and T. Klobucar, editors, Communications and Multimedia Security, IFIP TC6/TC11 Sixth Joint Working Conference on Communications and Multimedia Security, Sep. 26-27, 2002, Portoroz, Slovenia, volume 228 of IFIP Conference Proceedings, pages 107-121, Kluwer Academic, 2002. A major problem with reputation mechanisms of this type is that they suppose that past behaviour is indicative of future behaviour. This allows a malicious node to build a good reputation, until an opportunity arises for when the malicious node can inflict maximum damage for a long period of time.
Also, current distributed solutions rely too much on a “promiscuous” mode, which can be unreliable in certain situations. For example, if node A were to transmit a packet for node B to forward to node C, node B may have to move out of node A's transmission range in order to do so. In a promiscuous based mechanism, unless node A moves along with node B, it would receive no acknowledgement that node B forwarded the packet to node C. There are also fundamental problems with collisions, where node A does not hear node B forwarding a packet for it, as another node D has also began transmission which prevents the signal from node B reaching node A. Observation in promiscuous modes is difficult due to different frequencies and spread spectrum technologies. Therefore, each node will have to waste a lot of resources monitoring all frequencies. These are some of several flaws with current data link layer protocols and promiscuous observation.
Distributed reputation operations also need a high number of messages to detect misbehaviour, and this increases the amount of time needed to react appropriately. The extra number of messages exchanged are now vulnerable to many of the same attacks on routing messages. In addition, other new attacks exist such as spoofing positive or negative reputation messages.